IE 5.0 WPAD Spoofing - 02 Dec 1999

According to the report, "The IE 5 Web Proxy
Auto-Discovery (WPAD) feature enables web clients to automatically detect proxy settings
without user intervention. The algorithm used by WPAD prepends the hostname
"wpad" to the fully-qualified domain name and progressively removes subdomains
until it either finds a WPAD server answering the hostname or reaches the third-level
domain."

"For instance, web clients in the domain
a.b.microsoft.com would query wpad.a.b.microsoft, wpad.b.microsoft.com, then
wpad.microsoft.com. A vulnerability arises because in international usage, the third-level
domain may not be trusted. A malicious user could set up a WPAD server and serve proxy
configuration commands of his or her choice."